Hi!
we use a self-hosted GitLab CE instance that gets regular updates, typically no later than three weeks after a security patch is released.
The server is available on the internet and there are a few public projects. Each of these projects has exactly one maintainer, which is a technical user that has the following properties (or had until a few days ago):
- regular user (not an admin)
- a dummy email with this ending:
@example.com
- a personal access token with
api
scope
The personal access token is used by a job of a private repo to push stuff to one of the public repos.
Recently, this push started to fail with a 401
.
Then, we found out that this technical user has a second email ending with @example.cm
(TLD of Cameroon). We also found out from the logs that this email obviously was confirmed.
We also found out that the 401
occurs if the user is unconfirmed, but I am not sure when and whether the user was unconfirmed. We’re just trying to reconstruct this timeline from the backups. (not sure if this can be seen in the logs / the DB?)
Is there an explanation for this other than hacking?
And if we got hacked, is there a known vulnerability that might be involved here, maybe one that got closed recently?
Best regards
Reis